You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using message properties that contain some basic HTML markup and parameters e.g. some.message=Hello <strong>{0}</strong>. To output this I then use utext so that I don't lose the HTML formatting, but this means that the parameters should be HTML escaped first (as per the docs - https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#messages).
<p th:utext="#{home.welcome(${session.user.name})}">
Welcome to our grocery store, Sebastian Pepper!
</p>
Note that the use of th:utext here means that the formatted message will not be escaped. This example assumes that user.name is already escaped.
Under the hood the the:text processor uses HtmlEscape.escapeHtml4Xml from a 3rd party library. You can get to this easily by using #strings.escapeXml (which despite the name is using HtmlEscape.escapeHtml4Xml). I appreciate that the HTML is XML encoded, but it seems a bit odd to ask for XML escaping in an HTML template and there is no #strings.escapeHtml.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I'm using message properties that contain some basic HTML markup and parameters e.g.
some.message=Hello <strong>{0}</strong>
. To output this I then use utext so that I don't lose the HTML formatting, but this means that the parameters should be HTML escaped first (as per the docs - https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#messages).Under the hood the the:text processor uses
HtmlEscape.escapeHtml4Xml
from a 3rd party library. You can get to this easily by using#strings.escapeXml
(which despite the name is usingHtmlEscape.escapeHtml4Xml
). I appreciate that the HTML is XML encoded, but it seems a bit odd to ask for XML escaping in an HTML template and there is no#strings.escapeHtml
.So I've done this:
Is there a best-practice way of escaping these parameters?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions